From nobody Sat Apr 11 18:37:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1775127617; cv=none; d=zohomail.com; s=zohoarc; b=SGPD3ULYMZ+vS7lzMhBTzDPxRykahvgZT93HecF0iM1PRqjcb4e1LI9fdFEYeVZ7hK2YpM6TwOdWqP8YxwByA9+u76IJWQ4+7MR5aRttFsHLlGazSa406JjNmxLyuzJRcxG1xS/+iY8qSGiloOum/GiyEe5Z7KPruZS0De2vVRk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775127617; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:Message-Id:Reply-To:To; bh=84lxbSE2/pGx4RncQfTFwrbz2zjjlgBjhGePjquQX8s=; b=GHQUAqKJ6d2y5g7auInCF3OVVeDaLsd3/RKGKgJBAOkWsXaOoDIYXUP0yRZZ+J8gMTWg7laoF3JNQ2yldgDBvW1hEWJr3eiL+sb5uhYeZEnS0mJC8xx9EwUL/9jm0xVzAE1wx8MshPWodBdJ85Rxw7UN64jeS57BLto85E8ggZk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775127617811629.3943912331385; Thu, 2 Apr 2026 04:00:17 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8Fly-000384-Ix; Thu, 02 Apr 2026 06:59:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8Fle-0002mu-4w for qemu-devel@nongnu.org; Thu, 02 Apr 2026 06:59:25 -0400 Received: from mail-pj1-x1031.google.com ([2607:f8b0:4864:20::1031]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1w8FlY-0005NY-DL for qemu-devel@nongnu.org; Thu, 02 Apr 2026 06:59:13 -0400 Received: by mail-pj1-x1031.google.com with SMTP id 98e67ed59e1d1-35c1d101355so280293a91.1 for ; Thu, 02 Apr 2026 03:59:06 -0700 (PDT) Received: from localhost.localdomain ([147.136.157.3]) by smtp.googlemail.com with ESMTPSA id 98e67ed59e1d1-35dbe41b11fsm7512715a91.0.2026.04.02.03.59.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 03:59:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775127545; x=1775732345; darn=nongnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=84lxbSE2/pGx4RncQfTFwrbz2zjjlgBjhGePjquQX8s=; b=F4fnbADIEsutzGhEKGy5fT7moTPzEtnH9aOwDb3oFALiJ2rR7XgLjLOOsHL8BmOpQH 8wQYlVnw3b3sy6LbHLaxjTBxlH7XVVTQ48fdOYF34O9sEE/R2ZsnLyEhxGRYcptNsD5U ozJuHBdHZqqfbT5kVPHIGERUKx8OtJIARbI5x3xERVm8VEBN/ZL75oLwSKwfz0MDcgIv lPEA9zR3CKmZQupUd8tnqICvw4ToUAhYbvvm2DuurK9PkrwVpl76+VZ/YgfHcebezgI6 dpbfidOLSV4qJyiFqhZWEODKU6Bq/QfHCTu1JSXujuDPxuowHDSf/vMnOSo+fh1LtGbF ZUxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775127545; x=1775732345; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=84lxbSE2/pGx4RncQfTFwrbz2zjjlgBjhGePjquQX8s=; b=PDRzuRKVTx3sVwMJBSxAGX8vSNgvyGye0ajF+1ANZl8khVE4zau/xzAna0YH2DJfbf UMBiHD2aMpX04BvDOD9WOVt0TDJXIXECmJZ1FiWgXM3f/Af1Ct5eAR6omJC1Vvvj4mjN svwMPXq6CljyNCi5+FjXXJxXWl2cHXOdHsxyNXxUhLN6elmidvXgCSJBnW8vzSQ3yD3n Qo88PldPimRxPGPNVJpdJYBPmVFyAduHCf7vcJHLLnG8JiDyFLIuH+iZukeEftizdTOp dctPBp9B6TRQXLDW3A3CcmhGC0M0maCOsM4lz4cPwQKT65c5DkvefjVrEdhoNSt83sOD 781w== X-Forwarded-Encrypted: i=1; AJvYcCUQPPu+jz7hNLIOMsWXCgD1KRJIA+ECFCsTERdCl6V2XvFglY+0ycpC3sTPWkskmX0Y+icPMfKKGzJU@nongnu.org X-Gm-Message-State: AOJu0YzRfhWTmonlhA6WZY9yclYOKutqaNIXDeAlSwwO17MuCGtaQmu+ PmvQA+RrxjiaC9uStfXSuGJ/xLrdiJ+/L1y5BNbg1+uEm1qgSIu4EAy3KmMqQg== X-Gm-Gg: AeBDietrgZ0JnBrOlBz6JsNoNPQIcMGFYeKOGIKvPBVZSBEirQRNvz5CFKfGB8HXmnw OUAPtx5srU6D7WmAVTtOT+7SWP2fQjx1egu0IhNI1FR6z9IiENY8HAvT9gG+4mQzFk/onAxPcdD Qh8hp7lhPc+19Hvnqtpt9KvK3HA2Vt5oknYhxxxZlBa7vmCiFKOMmXp0XlsXWMiU+5YdPSmPuab EyTRXN0L4tbs1y3DEupsvueBCH5r6f6H47No5ejVEAOTmypnf6c/pM2zkAra5sYHywKXWr0IyAS LacTr9HmicQ+YLTQwgd+hFh0qQMdKlyECulF34+Fa5UHV3ZNOr1/fjfjbdfhsxigmArnMZ+/onU FnMMMon5Vcgc1x3hG+Mf9/pVkOl3ENLzeXSVgFFgmVuOvJucMfY1ciNkKC2GQXcMPRIHU+o5+ea nUj+sXGcGL/aPQyrKjBYuPd6c7BtUPO15ky+w= X-Received: by 2002:a17:90b:1e53:b0:359:d54:846f with SMTP id 98e67ed59e1d1-35dc6e5f96cmr6711752a91.7.1775127545433; Thu, 02 Apr 2026 03:59:05 -0700 (PDT) From: phind.uet@gmail.com To: Cc: Nguyen Dinh Phi , qemu-devel@nongnu.org Subject: [PATCH] util/readline: Fix out-of-bounds access in readline_insert_char(). Date: Thu, 2 Apr 2026 18:51:49 +0800 Message-ID: <20260402105150.274595-1-phind.uet@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2607:f8b0:4864:20::1031; envelope-from=phind.uet@gmail.com; helo=mail-pj1-x1031.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1775127620156154100 Content-Type: text/plain; charset="utf-8" From: Nguyen Dinh Phi Currently, the readline_insert_char() function is guarded by the cursor position (cmd_buf_index) rather than the actual buffer fill level(cmd_buf_s= ize). The current check is: if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) This logic is flawed because if the command buffer is full and a user moves= the cursor backward (e.g. by sending left arrow key), cmd_buf_index can be decreased without descreasing of buffer size. This allow subsequent insertions to increase cmd_buf_size past its maximum limit of rs->cmd_buf. Because in the ReadLineState struct, cmd_buf[READLINE_CMD_BUF_SIZE + 1] is immediately followed by the cmd_buf_index integer, once the buffer size is sufficiently inflated, the memmove() operation inside readline_insert_char() can write past the end of cmd_buf[] and overwrite cmd_buf_index itself. The subsequent line: rs->cmd_buf[rs->cmd_buf_index] =3D ch; then writes the input character to an address determined by the now-corrupt= ed index. By providing a specifically crafted input sequence via HMP, this flaw can be used to redirect the write operation to overwrite any field within the ReadLineState structure, which can lead to unpredictable behavior or application crashes. Fix this by adding the guard to check for buffer fullness and ensuring the=20 index remains valid. Signed-off-by: Nguyen Dinh Phi --- util/readline.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/readline.c b/util/readline.c index 0f19674f52..6b1de1094a 100644 --- a/util/readline.c +++ b/util/readline.c @@ -84,7 +84,8 @@ static void readline_update(ReadLineState *rs) =20 static void readline_insert_char(ReadLineState *rs, int ch) { - if (rs->cmd_buf_index < READLINE_CMD_BUF_SIZE) { + if (rs->cmd_buf_index <=3D rs->cmd_buf_size && + rs->cmd_buf_size < READLINE_CMD_BUF_SIZE) { memmove(rs->cmd_buf + rs->cmd_buf_index + 1, rs->cmd_buf + rs->cmd_buf_index, rs->cmd_buf_size - rs->cmd_buf_index); --=20 2.43.0